Does new code on bank scams really offer greater protection to customers?

NOT so long ago UK banks didn’t really seem to care too much about customers who had fallen victims to online fraudsters.

Indeed, up until consumer organisation Which? filed a super-complaint with the Payment Systems Regulator (PSR) in 2016, customers who had been tricked into making cash transfers to criminals posing as legitimate businesses did not have all that great a chance of getting any of their money back.

Last year alone 84,000 people lost a total of £354 million to scammers, who operate by fooling customers into thinking they represent organisations - such as tradesmen - that they may genuinely be due to pay a bill to. Of that, just £83m ended up being refunded.

That could all be about to change, though, with eight major banking groups – Barclays, HSBC, Lloyds Banking Group, Metro, Nationwide, Royal Bank of Scotland, Santander and Starling Bank – and their subsidiary brands coming up with a code of practice that promises to refund defrauded customers who can prove they took all necessary steps to protect themselves.

Having drawn up the voluntary code at the PSR’s behest, the banks have also created the standalone fund that will be used to reimburse those customers within 15 days of falling victim to a so-called authorised push-payment scam.

The move is, according to the chief executive of industry body Finance UK, “a significant moment” for the banking industry that will bring a “new level of protection” to consumers affected by these types of scams.

“Defending customers from fraud and preventing stolen money from going to criminals is a core priority for the finance industry,” Stephen Jones said.

“Firms who have signed up to the code have committed to new standards of consumer protection and to reimbursing the victims of these scams, provided the customer has met the standards expected of them.”

The code has also been welcomed by the regulator, whose co-managing director Chris Hemsley praised the “significant amount of work” done by consumer groups as well as the banking industry to make it a reality.

“[Push payment] scams can have a devastating impact on the people who fall victim to them,” he said. “The code is a major step-up in protections and it reflects our strong belief that if somebody has done everything they can reasonably do to protect themselves, they should be reimbursed.”

Yet while it is clear that the new code is a positive step, not all consumers will be protected by it because not all banks have signed up to it. While TSB has put its own refund policy in place and the likes of Clydesdale Bank and Tesco Bank plan to sign up to the code in future, it is thought that others have shied away from it because they feel its protection may actually encourage fraudsters.

At the same time, while the PSR consulted on implementing payee-confirmation technology along with the code – something that could stop push-payment scams occurring in the first place – it admitted in February that given the “technical complexities to be addressed” further work would need to be done before that could become a reality. The regulator gave no indication this week of how advanced that work is or when it might complete.

London-based fintech business Shieldpay, which has developed technology that holds funds securely until until the identity of all parties to a transaction has been verified, only releasing the cash when all sides have indicated that they are happy to proceed, believes this is a mistake.

“While the voluntary code which commits banks to refund blameless victims of fraud is a welcome step forward, compensation is simply firefighting without tackling the source of the problem,” said Shieldpay director of consumer Tom Clementson.

“Fraudsters must be stopped in their tracks and banks have a vital role to play in this.

“Increasingly sophisticated technology that verifies the identity of both sides in a transaction and holds the money securely until both sides agree they’re happy, can eliminate the risk of fraud.

“Only this way can we start to make a dent in the fraudsters pockets and prevent consumers from becoming victims.”

Unless and until banks do start using such technology, though, the best way for consumers to make sure they do not lose out is to never click send until they are completely satisfied the account their cash is going to is a legitimate one.

With fraudsters developing increasingly sophisticated techniques this can be easier said than done, but as a general rule of thumb you should never trust someone just because they know some of your personal details, never automatically click on a link received in an unexpected email or text, and never respond to uninvited requests for information.

Comments & Moderation

Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.

This website and associated newspapers adhere to the Independent Press Standards Organisation's Editors' Code of Practice. If you have a complaint about the editorial content which relates to inaccuracy or intrusion, then please contact the editor here. If you are dissatisfied with the response provided you can contact IPSO here